Cyberespionage group targets traveling execs through hotel networks

For the past four years a group of sophisticated hackers has compromised the networks of luxury hotels to launch malware attacks against corporate executives and entrepreneurs traveling on business in the Asia-Pacific region.

The cyberespionage group, which researchers from Kaspersky Lab dubbed Darkhotel, operates by injecting malicious code into the Web portals used by hotel guests to log in to the local network and access the Internet, typically by inputting their last name and room number.

The infections are typically brief and are meant to target only specific guests by prompting them to download trojanized updates for popular software applications. The rogue software updates deploy malware implants that then download and install digitally-signed information-stealing programs.

"This group of attackers seems to know in advance when these individuals will arrive and depart from their high-end hotels," the Kaspersky Lab researchers said in a report released Monday. The attackers lie in wait until the travelers arrive and connect to the Internet, the researchers said.

After the victims check out of the hotel, the attackers disable the malicious code injected into the hotel's network portal and hide their tracks.

"Those portals are now reviewed, cleaned and undergoing a further review and hardening process," the Kaspersky researchers said.

The Darkhotel group is interesting because it uses a combination of both highly targeted and non-targeted, botnet-style attacks. The cracking of digital certificate keys combined with the use of zero-day vulnerabilities suggests a highly sophisticated team of developers. However, its command-and-control infrastructure is full of weak server configurations and basic mistakes suggesting that a less skilled team is in charge of it.

"Considering their well-resourced, advanced exploit development efforts and large, dynamic infrastructure, we expect more Darkhotel activity in the coming years," the Kaspersky Lab researchers said in a blog post.

The largest volume of attacks via hotel networks took place between August 2010 and 2013, but incidents were also recorded in 2014 and are currently being investigated.

The group, which is also known as Tapaoux, is believed to have been operating since at least 2007 and has also used other attack techniques over the years including spear-phishing emails with attachments or links that exploited zero-day vulnerabilities in Flash Player and Internet Explorer, and the distribution of malware via poisoned downloads on peer-to-peer networks.

Most of the malicious components used by the Darkhotel attackers are signed with valid digital certificates, either duplicated certificates whose weak 512-bit RSA keys they cracked or certificates that they stole from their rightful owners.

The group's malware toolset includes a malware downloader; a keylogger; a Trojan program that gathers system information; an information stealer component that collects passwords stored in browsers and other sensitive data; and a file-infecting virus that spreads via USB drives and network shares. These tools are detected as Tapaoux, Pioneer, Karba and Nemim, among other names, the Kaspersky researchers said.

Over 90 percent of malware infections associated with the Darkhotel group were detected in Japan, Taiwan, China, Russia and Korea. However infections were also found in the U.S., the United Arab Emirates, Singapore, Kazakhstan, South Korea, the Philippines, Hong Kong, India, Indonesia, Germany, Ireland, Mexico, Belgium, Serbia, Lebanon, Pakistan, Greece, Italy and other countries.

The targets were from a wide array of industries, including electronics manufacturing, finance, pharmaceuticals, and others. They also included individuals in defense and law-enforcement.

Microsites

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel.
Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Related Whitepapers

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.